Add headless runtime tooling and Campaign.win analysis

artifacts/exports/rt3-1.06/function-map.csv

@@ -167,6 +167,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
 0x00431b20,399,world_apply_compact_runtime_effect_record_to_resolved_targets,map,thiscall,inferred,objdump + local disassembly + caller correlation,3,"Dispatches one linked compact runtime-effect record against the caller-resolved target context. The record token at `[*record+0x00]` is translated through the static table at `0x0061039c`; when the translated class lies in the `0x1f7..0x265` range the helper immediately re-enters `world_try_place_random_structure_batch_from_compact_record` `0x00430270`. Otherwise it jumps through the local class table at `0x004320b4/0x004320fc` into a mixed effect family that now includes: shell-state modifier branches over `0x006cec78`, signed scalar adjustments on resolved company/profile/territory targets through the `0x004d6611/0x004d6617` numeric readers, territory-access writes through `company_set_territory_access_rights_byte` `0x00424030`, selected-profile updates through `0x00434890/0x004348c0`, and several collection-side erase or follow-on branches. Current grounded caller is the outer loop at `0x00432317`, which walks linked compact records via `[record+0x24]` and supplies optional resolved company, chairman-profile, and adjacent owner context before each dispatch. This is therefore the current safest read for the wider compact runtime-effect dispatcher above the separate world-side structure-batch placement branch rather than as a placement-only helper.","objdump + local disassembly + caller correlation + effect-dispatch correlation"
 0x004323a0,842,scenario_runtime_effect_record_service_and_dispatch_linked_compact_effects,scenario,thiscall,inferred,objdump + local disassembly + caller correlation,3,"Per-record service pass over one live runtime-effect record in the scenario event collection. The helper first enforces several activation gates over the record's local control bytes and shell-side preview state, including one one-shot latch at `[this+0x81f]`, mode byte `[this+0x7ef]`, optional preview-policy byte `[this+0x7f4]`, and shell-side state at `0x006cec78/0x006cec74`. Once active it formats the optional status line through shell news helper `0x004554e0`, derives a target-availability bitmask through `0x0042d700`, resolves optional company/chairman/territory target pools, and then walks the linked compact effect chain rooted at `[this+0x00]`. Each linked record is dispatched through `world_apply_compact_runtime_effect_record_to_resolved_targets` `0x00431b20`, while fallback branches synthesize follow-on runtime-effect records through `scenario_runtime_effect_record_build_followon_effect_from_compact_record_and_targets` `0x00430b50`. When any effect fires it may refresh company share-price caches through `company_compute_public_support_adjusted_share_price_scalar` `0x00424fd0`, and records with nonzero `[this+0x7f5]` set the one-shot latch `[this+0x81f]`. Current grounded caller is the collection-wide service loop `scenario_event_collection_service_runtime_effect_records_for_trigger_kind` `0x00432f40`. This is therefore the current safest read for the runtime-effect record service and linked-effect dispatcher rather than a low-level target iterator.","objdump + local disassembly + caller correlation + runtime-effect-service correlation"
 0x00433130,169,scenario_event_collection_refresh_runtime_records_from_packed_state,scenario,thiscall,inferred,objdump + caller xrefs + local disassembly,3,"Collection-wide runtime materialization pass over the live event collection at `0x0062be18`. The helper stages one small packed header read from the caller-supplied state or stream object, walks every live event record in the collection through `indexed_collection_slot_count` `0x00517cf0`, `indexed_collection_get_nth_live_entry_id` `0x00518380`, and `indexed_collection_resolve_live_entry_by_id` `0x00518140`, and re-enters `scenario_event_refresh_runtime_record_from_packed_state` `0x0042db20` on each resolved record. When the sweep completes it clears the collection-side reentrancy or dirty latch at `[this+0x88]`. Current grounded callers are the `Setting up Players and Companies...` `319` lane inside `world_entry_transition_and_runtime_bringup` `0x00443a50` and one neighboring world-build path at `0x00448020`, so this now reads as the event-side runtime refresh pass beneath post-load world setup rather than an anonymous collection walk.","objdump + caller xrefs + local disassembly + event-collection correlation + post-load-pipeline correlation"
+0x004336d0,95,world_runtime_reset_startup_dispatch_state_bands,map,thiscall,inferred,objdump + caller xrefs + local disassembly,3,"Small runtime-object zero-init helper immediately above `shell_active_mode_run_profile_startup_and_load_dispatch` `0x00438890`. The helper clears a bounded startup-owned state band on the caller object, including `[+0x4cae]`, `[+0x4cb2]`, `[+0x46a80..+0x46aa0]`, `[+0x66b2]`, `[+0x66b6]`, `[+0x46c34]`, and `[+0x66ae]`, then returns the same pointer. Current grounded callers are the mode-`4` `LoadScreen.win` lane inside `shell_transition_mode` at `0x004830b6` and the multiplayer preview launch lane at `0x0046b8c9`, both of which then publish the returned object into `0x006cec78` and immediately call `0x00438890`. This is therefore the safest current read for the pre-dispatch runtime reset helper rather than another world-release path.","objdump + caller xrefs + local disassembly + pre-dispatch-state correlation"
 0x00432ea0,103,scenario_event_collection_allocate_runtime_effect_record_from_compact_payload,scenario,thiscall,inferred,objdump + local disassembly + caller correlation,3,"Allocates and initializes one live runtime-effect record in the scenario event collection at `0x0062be18` from a compact payload source. The helper allocates one temporary `0x88f` payload object, inserts a new collection entry through the generic collection allocator path, resolves the inserted live entry, and then initializes that entry from the caller-supplied compact payload through `0x0042d670` before freeing the temporary object. Current grounded callers are `scenario_runtime_effect_record_build_followon_effect_from_compact_record_and_targets` `0x00430b50` and the shell-side branch at `0x004db9f1`, where the returned live entry id is stored back into the caller object. This is therefore the current safest read for the scenario event collection's runtime-effect allocator rather than a generic collection clone helper.","objdump + local disassembly + caller correlation + runtime-effect-allocation correlation"
 0x00432f40,267,scenario_event_collection_service_runtime_effect_records_for_trigger_kind,scenario,thiscall,inferred,objdump + local disassembly + caller correlation,3,"Collection-wide service loop over the live scenario event collection at `0x0062be18` for one caller-selected trigger kind byte. The helper first rejects fast-forward and editor-map gates through `0x006cec78+0x46c38`, `[0x006cec7c+0x82]`, and `[0x006cec74+0x68]` unless the trigger kind is `9`, then walks every live runtime-effect record through `indexed_collection_slot_count` `0x00517cf0`, `indexed_collection_get_nth_live_entry_id` `0x00518380`, and `indexed_collection_resolve_live_entry_by_id` `0x00518140`. Each resolved record is serviced through `scenario_runtime_effect_record_service_and_dispatch_linked_compact_effects` `0x004323a0` with the selected trigger kind and optional text sink. When any record fires, the helper refreshes every active company's cached share price through `company_compute_public_support_adjusted_share_price_scalar` `0x00424fd0`; when the collection dirty latch at `[this+0x88]` is raised it clears that latch and immediately reruns the whole pass with trigger kind `0x0a`. The caller split is now tighter too: recurring simulation maintenance drives kinds `1`, `0`, `3`, and `2` through `0x0040a276`, `0x0040a55f`, `0x0040a6cb`, and `0x0040a7a3`, while the neighboring route-style follow-on at `0x0040a91f` drives kinds `5` and `4` through `0x0040a930` and `0x0040a9ac`; world or startup-side company creation branches at `0x00407682`, `0x0047d293`, `0x0047d42b`, and `0x0047d6de` drive kind `7`; the kind-`6` branch is now tighter too, covering the placed-structure post-create tail at `0x0040f69e`, the build-version-gated company-startup or roster-refresh tail at `0x00428406`, and the route-entry post-change sweep at `0x004a3eae`; the kind-`8` world-entry one-shot gate now sits inside `world_entry_transition_and_runtime_bringup` `0x00443a50`, where it fires after the post-load company or route setup passes and then clears shell-profile latch `[0x006cec7c+0x97]`; and the `LoadScreen.win` briefing page at `0x004e520b` drives kind `9`. This is therefore the current safest read for the scenario event collection's collection-wide runtime-effect service loop rather than a generic text-query helper.","objdump + local disassembly + caller correlation + collection-service correlation + trigger-kind callsite decode"
 0x00433bd0,546,world_refresh_selected_year_bucket_scalar_band,simulation,thiscall,inferred,objdump + local disassembly + caller inspection,3,"Shared selected-year companion beneath `world_set_selected_year_and_refresh_calendar_presentation_state` `0x00409e80`. The helper reads the packed world year at `[this+0x0d]`, bins it against the threshold table at `0x005f3978/0x005f3980`, derives one interpolated bucket fraction when the current year falls inside a nontrivial range, and writes the resulting float band into `[this+0x65]`, `[this+0x69]`, `[this+0x6d]`, and `[this+0x4ca2]` after one build-version-sensitive clamp through `0x00482e00`. Current grounded callers are the year-step path in `simulation_service_periodic_boundary_work` around `0x0040a123`, the post-fast-forward setup tail around `0x00437168`, and the later staged-profile rehydrate band inside `world_entry_transition_and_runtime_bringup` `0x00443a50`, so this is the safest current read for the shared year-bucket scalar rebuild helper rather than a world-entry-only follow-on.","objdump + local disassembly + caller inspection + year-bucket-table correlation + world-entry correlation"
@@ -738,7 +739,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
 0x00481fd0,348,bootstrap_scan_autorun_media,bootstrap,cdecl,inferred,ghidra-headless,4,Scans drive letters for RT3 autorun marker files rt3d1.txt and rt3d2.txt using GetDriveTypeA and open or close helpers before deeper shell init.,ghidra + rizin
 0x00482160,101,shell_state_service_active_mode_frame,shell,thiscall,inferred,objdump + analysis-context,4,Acts as the broader shell-state service pass around one active-mode update on the shell state rooted at 0x006cec74. The helper increments nested-service depth at [this+0x64] optionally notifies the active mode object at 0x006cec78 through 0x0051f940 and 0x00434050 primes the shell runtime at 0x006d401c through 0x00538b60 conditionally services the Multiplayer preview-dataset object at 0x006cd8d8 through 0x00469720 and then dispatches shell_service_frame_cycle on the global shell controller at 0x006d4024 before decrementing the depth counter.,objdump + analysis-context + caller xrefs
 0x004821d0,1019,shell_recompute_layout_slots,bootstrap,thiscall,inferred,ghidra-headless,4,Recomputes the shell layout-slot table after resolution or related display selectors change; derives normalized coordinates from static float tables updates 144 slot entries through the shell bundle child at [0x006d4024+0x18] and then commits the refreshed state.,ghidra + rizin
-0x00482ec0,1359,shell_transition_mode,bootstrap,thiscall,inferred,ghidra-headless + objdump,4,"Switches the shell state's active mode at `[this+0x08]`, tears down any prior mode object, selects one of seven mode-specific handlers, updates globals like `0x006cec78`, and then notifies the shell bundle through `0x00538e50`. The constructor jump table at `0x48342c` is now mostly grounded as a real mode map rather than raw branch addresses: mode `1` enters the `Game.win` family through `shell_game_window_construct` `0x004dfbe0`, mode `2` enters `Setup.win` through `shell_setup_window_construct` `0x00504010`, mode `3` enters `Video.win` through `shell_video_window_construct` `0x005174e0`, mode `4` enters `LoadScreen.win` through `shell_load_screen_window_construct` `0x004ea620`, mode `5` enters `Multiplayer.win` through `multiplayer_window_init_globals` `0x004efe80`, mode `6` enters `Credits.win` through `shell_credits_window_construct` `0x004c7fc0`, and mode `7` enters `Campaign.win` through `shell_campaign_window_construct` `0x004b8e60`. The clearest load-side lane remains mode `4`: it publishes the new active-mode object into `0x006cec78` and then calls `shell_active_mode_run_profile_startup_and_load_dispatch` `0x00438890` with stack args `(1, 0)`. The paired old-mode teardown side is now tighter too: mode `1` tears down through `shell_game_window_destroy` `0x004dfd70`, mode `3` through `shell_video_window_destroy` `0x00517570`, mode `4` through `shell_load_screen_window_destroy` `0x004ea730`, mode `6` through `shell_credits_window_destroy` `0x004c7bc0`, and mode `7` through `shell_campaign_window_destroy` `0x004b8dc0`. Current grounded callers remain bootstrap shell bring-up at `0x004840e0` and the world-entry side at `0x00443a50`.","ghidra + rizin + objdump + branch-disassembly correlation + jump-table decode + constructor/destructor correlation"
+0x00482ec0,1359,shell_transition_mode,bootstrap,thiscall,inferred,ghidra-headless + objdump,4,"Switches the shell state's active mode at `[this+0x08]`, tears down any prior mode object, selects one of seven mode-specific handlers, updates globals like `0x006cec78`, and then notifies the shell bundle through `0x00538e50`. The calling convention is tighter now too: the function is a `thiscall` with two stack arguments, confirmed both by the entry-side stack read from `[esp+0x0c]` and by the `ret 8` epilogue at `0x48340c`. The grounded world-entry load-screen call shape at `0x443adf..0x443ae3` is therefore `(mode=4, arg2=0)`, not a one-arg mode switch. The second stack argument is tighter now too: current local evidence reads it as an old-active-mode teardown flag rather than a second mode id. The branch at `0x482fc6..0x482fff` only runs when that second argument is nonzero, and in that case it releases the old global active-mode object through `world_runtime_release_global_services` `0x00434300`, `0x00433730`, the common free path `0x0053b080`, and then clears `0x006cec78`. The caller split matches that read: the world-entry load-screen transition uses `(4, 0)` as the plain `LoadScreen.win` arm, while the later world-entry reactivation branch at `0x444c3b..0x444c44` enters mode `1` as `(1, esi)` after `0x4834e0` and `0x44ce60`, making the nonzero second argument the strongest current fit for 'tear down the prior active gameplay world while switching modes'. The constructor jump table at `0x48342c` is now grounded as a real mode map rather than raw branch addresses: mode `1` enters the startup-dispatch arm at `0x483012`, mode `2` enters `Setup.win` through `shell_setup_window_construct` `0x00504010`, mode `3` enters `Video.win` through `shell_video_window_construct` `0x005174e0`, mode `4` enters the plain `LoadScreen.win` arm at `0x4832e5` through `shell_load_screen_window_construct` `0x004ea620`, mode `5` enters `Multiplayer.win` through `multiplayer_window_init_globals` `0x004efe80`, mode `6` enters `Credits.win` through `shell_credits_window_construct` `0x004c7fc0`, and mode `7` enters `Campaign.win` through `shell_campaign_window_construct` `0x004b8e60`. The startup side is correspondingly tighter now too: mode `1` first constructs and publishes one transient `LoadScreen.win` object through `0x004ea620` and `0x00538e50`, then sets `[load_screen+0x78]` through `0x004ea710`, allocates the separate startup-runtime object through `0x0053b070(0x46c40)`, clears its startup-owned bands through `world_runtime_reset_startup_dispatch_state_bands` `0x004336d0`, publishes that second object into `0x006cec78`, and only then calls `shell_active_mode_run_profile_startup_and_load_dispatch` `0x00438890` with stack args `(1, 0)`. After that straight-line call it immediately unpublishes the shell-window object again through `0x005389c0([0x006d401c], [this+0x0c])` before later mode-specific destroy paths continue. Mode `4`, by contrast, only constructs and publishes `LoadScreen.win` and does not own the startup-runtime allocation or `0x00438890` callsite. The paired old-mode teardown side is now tighter too: mode `1` tears down through `shell_game_window_destroy` `0x004dfd70`, mode `3` through `shell_video_window_destroy` `0x00517570`, mode `4` through `shell_load_screen_window_destroy` `0x004ea730`, mode `6` through `shell_credits_window_destroy` `0x004c7bc0`, and mode `7` through `shell_campaign_window_destroy` `0x004b8dc0`. Current live hook probes now show the old hook-side crash is gone: on the hook-driven path `shell_transition_mode(4, 0)` returns cleanly, and the inner old-object unpublish, `0x005400c0 -> 0x0053fe00 -> 0x0053f860` removal sweep, mode-`2` teardown helper `0x00502720`, `LoadScreen.win` construct, and shell publish all return. The corrected jump-table decode now explains the remaining runtime gap too: the current plain-run logs still do not show a trusted `0x00438890` entry because the hook has been entering mode `4`, not the mode-`1` startup-dispatch arm that statically owns that callsite. Current grounded callers remain bootstrap shell bring-up at `0x004840e0` and the world-entry side at `0x00443a50`.","ghidra + rizin + objdump + branch-disassembly correlation + jump-table decode + constructor/destructor correlation + epilogue and call-shape verification + caller-behavior correlation + live-hook probe correlation + pre-dispatch-runtime-object split"
 0x005a2d64,101,crt_init_exit_handlers,startup,cdecl,inferred,ghidra-headless,3,Initializes on-exit tables and registers atexit handling before control reaches application startup.,ghidra + rizin
 0x005a30f2,34,__amsg_exit,startup,cdecl,inferred,ghidra-headless,4,CRT fatal-exit helper that forwards startup failures into __exit.,ghidra + rizin
 0x005a3117,36,crt_fast_error_exit,startup,cdecl,inferred,ghidra-headless,4,Startup error path that optionally emits the CRT banner then formats the failure and terminates through ___crtExitProcess.,ghidra + rizin
@@ -820,6 +821,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
 0x00534e90,48,world_secondary_raster_query_cell_marked_bit,map,thiscall,inferred,objdump + caller inspection + raster-cell correlation,3,"Tiny reusable bit query over the same 3-byte secondary-raster cell family rooted at `[this+0x165d]` with row stride `[this+0x15dd]`. The helper resolves one cell from caller-supplied world-grid coordinates, reads the 16-bit companion word from that cell record, and returns bit `9` as a boolean marked-state flag. Current grounded callers include the secondary-grid overlay-cache service `world_service_secondary_grid_marked_cell_overlay_cache` `0x0044c670`, neighboring world scan or mutation branches at `0x004499a6`, `0x00449bdf`, and `0x00450f69`, plus one shell-side or editor-adjacent caller at `0x004a0e72`, which makes this the safest current name for the shared secondary-raster marked-bit predicate.","objdump + caller inspection + raster-cell correlation + secondary-grid overlay correlation"
 0x00534ec0,56,world_secondary_raster_query_cell_class_in_set_2_4_5,map,thiscall,inferred,objdump + caller inspection + raster-cell correlation,3,"Tiny reusable class-subset predicate over the same 3-byte secondary-raster family rooted at `[this+0x165d]` with row stride `[this+0x15dd]`. The helper resolves one caller-selected world-grid cell, masks the low three class bits from the first byte, and returns `1` only when that class is `2`, `4`, or `5`, else `0`. Current grounded callers include neighboring world-side setup, scan, and presentation branches around `0x00446418`, `0x00449c88`, `0x0044bdfc`, `0x0044dd78`, `0x0044ec51`, `0x0044f30e`, `0x0044f445`, `0x00450f7a`, and `0x004fa86c`, plus serializer-adjacent paths under `0x00446240`, so this is the safest current read for the shared secondary-raster class-subset predicate rather than a more player-facing terrain label.","objdump + caller inspection + raster-cell correlation + serializer correlation"
 0x00534f00,52,world_secondary_raster_query_cell_class_in_set_3_5,map,thiscall,inferred,objdump + caller inspection + raster-cell correlation,3,"Tiny reusable class-subset predicate over the same 3-byte secondary-raster family rooted at `[this+0x165d]` with row stride `[this+0x15dd]`. The helper resolves one caller-selected world-grid cell, masks the low three class bits from the first byte, and returns `1` only when that class is `3` or `5`, else `0`. Current grounded callers include neighboring world-side setup, serializer, and presentation branches around `0x00446240`, `0x00448cbf`, `0x0044dbcd`, `0x0044ec3d`, `0x0044ede9`, `0x0044ee0a`, `0x0044ef7a`, `0x0044f131`, `0x0044f1b5`, `0x0045105e`, `0x0047a569`, and `0x004df627`, so this is the safest current read for the shared secondary-raster class-subset predicate rather than a more player-facing terrain label.","objdump + caller inspection + raster-cell correlation + serializer correlation"
+0x0053fda0,96,shell_service_one_object_child_queue_and_deferred_state,shell,thiscall,inferred,objdump + analysis-context,4,Services one shell object beneath shell_runtime_prime. The helper optionally notifies the global shell controller at 0x006d4024 through 0x0051f950 when [this+0x5c] is nonnull then walks the child or service-node list rooted at [this+0x70]. For each child it conditionally signals deferred work through shell_signal_deferred_work_item_shutdown 0x0051f1d0 and dispatches the child through vtable slot +0x18. If byte [this+0x1d] is set the tail path also jumps through 0x0051f930 on the same shell controller. Current static context places it under shell_runtime_prime 0x00538b60 on the null-0x006cec78 mode-4 service path.,objdump + analysis-context + caller context
 0x00539fb0,924,shell_emit_geographic_label_frame_vertex24_records,bootstrap,thiscall,inferred,ghidra-headless,4,Expands the current geographic-label item into cached frame vertex24 records inside the caller buffer. The helper patches packed alpha into up to sixteen prebuilt 0x18-byte records copies additional 24-byte frame blocks from fixed item offsets and returns the emitted vertex count for the label border or backing geometry.,ghidra + rizin + llvm-objdump
 0x0053a440,14,shell_set_geographic_label_item_alpha,bootstrap,thiscall,inferred,ghidra-headless,4,Stores an 8-bit alpha input into the high-byte color field at [this+0x5b] for the current geographic-label item before frame or text emission.,ghidra + rizin + llvm-objdump
 0x0053a960,723,shell_emit_geographic_label_text_span,bootstrap,thiscall,inferred,ghidra-headless,4,Builds and emits one geographic-label text span for the current cell item. The helper calls the item vtable at +0x10 to materialize a null-terminated display string up to 0x12c bytes computes placement from item float fields and shell service state checks visibility through the shell bundle and forwards the resolved text payload into the presentation path through 0x005519f0. The item family aligns with gpdLabelDB and 2DLabel.imb rather than the parallel city assets.,ghidra + rizin + llvm-objdump
@@ -886,6 +888,7 @@ address,size,name,subsystem,calling_convention,prototype_status,source_tool,conf
 0x00557010,159,intrusive_queue_clear_owned_nodes,support,cdecl,inferred,ghidra-headless,3,Specialized intrusive-queue clear path for containers with an auxiliary owner or context pointer at [this+0x14]. It iterates the owned node chain through the queue iterator helpers releases nested payload state unlinks each node and decrements the queue count before returning to the outer container clear helper.,ghidra + rizin + llvm-objdump
 0x005570b0,80,intrusive_queue_clear_and_release,support,cdecl,inferred,ghidra-headless,4,Clears and releases every node in one intrusive queue container. When [this+0x14] is present it routes through intrusive_queue_clear_owned_nodes; otherwise it walks the linked nodes directly releases them zeroes the head iterator and tail slots and resets the queued-node count at [this+0x0c].,ghidra + rizin + llvm-objdump
 0x00559520,166,surface_init_rgba_pixel_buffer,support,thiscall,inferred,ghidra-headless,3,Initializes or refreshes a small 0xec-byte RGBA pixel-buffer object from caller-supplied image data and dimensions. On first use it allocates the backing object through 0x0053b070 stores width and height at [this+0xa2] and [this+0xa6] seeds the inner surface through 0x00543980 and 0x00541970 then copies width*height*4 bytes from the source buffer before finalizing through 0x005438d0. Current callers use it from the PaintTerrain preview path and the Multiplayer.win map-preview branch.,ghidra + rizin + llvm-objdump + strings
+0x005595d0,1632,shell_child_control_service_presentation_and_overlay_pass,shell,thiscall,inferred,objdump + runtime probe correlation,4,"Services one registered shell child-control beneath the object walker `shell_service_one_object_child_queue_and_deferred_state` `0x0053fda0`. The helper is first gated by `0x00558670`, which checks child flags `[this+0x68/+0x6a]`, parent pointer `[this+0x86]`, and shell controller byte `[0x006d4024+0x57]`. Once admitted, the body fans out by style field `[this+0xb0]` and spends most of its work in presentation helpers including `0x54f710`, `0x54f9f0`, `0x54fdd0`, `0x53de00`, and `0x552560`, using child-local geometry floats and the owning window pointer at `[this+0x86]` to emit overlay or control visuals. Current live hook probes on the frozen mode-4 auto-load path show the early `LoadScreen.win` children all point back to the same parent through `[child+0x86]`, typically carry `flag_68 = 0x03` and `flag_6a = 0x03`, and return `4`, while later siblings with `flag_68 = 0x00` return `0`; in all traced cases `0x006cec78` stays `0`, so this now reads as a presentation-side child service owner rather than the missing startup-runtime promotion lane.","objdump + runtime probe correlation + child-service gating correlation"
 0x00565110,600,shell_rebuild_layout_state_and_optional_texture_report,shell,thiscall,inferred,ghidra-headless,3,Rebuilds the active shell layout-state branch when the current mode requires a deeper reset and optionally publishes the texture budget report through 0x00527650. The routine checks the current layout mode through 0x00545e00 tears down and recreates layout-state services through 0x0055dd80 and 0x0055e2b0 optionally notifies global shell services and when the caller flag is set emits the report then commits one layout refresh step through 0x00545d60.,ghidra + rizin + llvm-objdump + strings
 0x0058bc90,23,multiplayer_gamespy_route_set_extended_payload_callback,shell,thiscall,inferred,objdump,3,"Tiny callback-slot helper for one GameSpy-style route object. It stores the caller callback pointer in `[route+0xa0]`, or in the default route singleton at `0x00629948` when `ecx` is null. The current grounded transport-side caller is multiplayer_transport_try_connect_status_route, which patches the status route's validated extended-payload callback slot to `0x597330` after route construction.",objdump
 0x0058c9b0,404,multiplayer_gamespy_route_construct_and_seed_callback_vector,shell,thiscall,inferred,objdump,3,"Constructs or replaces one 0x108-byte GameSpy-style route object and seeds its callback vector. The helper allocates the route object when the caller owner slot is non-null, copies two caller strings into the local route buffers at `+0x04` and `+0x44`, stores the supplied callback table across `[route+0x88]` through `[route+0x9c]`, records the owner context at `[route+0x104]`, initializes the route cookie state and recent-cookie ring, and explicitly zeroes the secondary callback slots `[route+0xa0]`, `[route+0xa4]`, and `[route+0xd4]` before any later patch-up. Current grounded callers are multiplayer_transport_try_connect_status_route and multiplayer_transport_try_connect_live_route through the wrapper at `0x58cc40` or the constructor directly.","objdump"